When Symfony2 was created I first learned about the functional test, which is an interesting type of test where everything about your application is as real as possible. Just like with an integration or end-to-end test. One big difference: the test runner exercises the application’s front controller programmatically, instead of through a web server. This means that the input for the test is a Request object, not an actual HTTP message.

Drawbacks of functional tests

This approach has several drawbacks, like:

1. Faking a Request object means you don’t know if the code also works in a production environment, when an actual HTTP request will be provided as input.
2. Inspecting a Response object instead of a real HTTP response message comes with the same risk, but my guess is that it’s a less severe risk.
3. Since you have access to the application’s service container you may be tempted to open the black box and replace all kinds of services, or otherwise influence them. I recommend doing no such thing.
4. You are likely to end up testing all kinds of domain-related behaviors through thick layers of unrelated code.
   This obscures the view on the real issues and makes it hard to figure out what’s wrong, if anything pops up. Combining this with drawback 3 you often find yourself rummaging around in all the stuff that’s on the inside of your application, lengthening the feedback loop between building something and finding out if it works. Because these tests end up being white-box tests after all, you also end up with many cracks; it will be easy for anything to fall through them and you’ll only find out if that happened when the code is already running in production.

Another issue I see with functional tests is that the assertions that are made are often something like: “I see in database”. This too is like opening the box and looking inside. I’d like to follow this reasoning instead: if, as a user of the system, I expect a request to produce some kind of effect, then I should be able to notice this effect as a user. And as a user I can’t look directly inside the database. There must be some other aspect of the system that was changed when I made that request. E.g. after registration I can now log in, or the product I added to my basket actually shows up on the “my shopping basket” page.

In some rare cases the desired effect can’t be observed by a user. For instance, when you expect a certain message to be published to a queue. Well, maybe a functional test isn’t the right place for such a check after all, and you can prove that the message will be published using a combination of other, smaller tests. But if you still want to do it, you’d have to do a quick peek into the box after all. Sometimes that’s just how it is. But always look for ways to prevent this, and let your application remain the black box that you poke at with HTTP requests only, making only assertions about the response you receive.

Having discussed many of the downsides now, let’s not forget the good parts: we don’t have to deal with a web server or run all those slow browser tests without getting a “90% okay” approval from our tests. We can accept the “risk” and work with functional tests instead of true end-to-end tests which force the test to send an actual HTTP request to an actual web server and wait for an actual HTTP response. We can benefit from some options for peeking-in-the-box. If we can keep the number of times we do this to the absolute minimum, we will end up with high-quality tests that don’t fail for just any random reason, like concurrency issues.

Bringing the database in the right state

One thing that turns out to be quite hard when writing functional tests is getting the database in the correct state for running the tests. In fact, we have to get it in the right state before each test, so that tests can’t influence each other when they use the same database tables. Ideally I’d always use the actual steps that a user would take to get that data into the database, instead of loading data directly into the database using some kind of fixture generation tool. But for some data, this is just impossible. That data needs to be there from the start. Sometimes it’s because how the application has been designed; or maybe nobody realized there was a problem until they started writing tests (we call it a “legacy application” then ;)). Sometimes it’s a hint that this data-that-is-always-there should not be in the database but in the code instead, since the code is by definition always-there. See also About fixtures.

Before running a functional test you have to get the database into the correct s

Truncated by Planet PHP, read more at the original (another 6953 bytes)

This blog explains:

• Why you should update PHP.
• Signs of a security breach.
• Manual and automated options for PHP downloads.

Why Update PHP?   

Using the newest version of PHP is one of the best and easiest ways to keep your PHP applications secure. It really takes just one kink in the armor for the bad guys to get in, so it’s critical to close any vulnerability that a hacker can exploit to gain access to your sensitive data.

This is my first “lockdown” week-end after a week of confinement. I’m not alone.
Most of us are confined now. Most of the world is confined or will be very soon.

I won’t go outside this week-end and that’s fine.

I’m lucky. I share my life with my wife and my two sons in my apartment in Lille, France.
Hopefully, we’re not infected. Not yet. We’re now following the rules very strictly. To protect us, but
more importantly, to protect everyone else. Let’s not be selfish.

In January and February, the weather was bad. It rained every single day. Or it seemed so.
Since the beginning of the week, sun made a big come back.
The sun taunts me. If you know me a little, you know that I would really like to go outside.
Buy a book in my local bookstore, buy some groceries, find some new cheese to taste,
bike to the butcher, jog in the biggest public park of the city. I would love to do all of these activities today.
Like every “regular” Saturday. But for the next few weeks, my world will look different. I need to adapt.
And that’s fine. I can certainly wait.

I’m lucky. I can work from home. My sons are 12 and 15, so they can do their homework on their own.
Wonderful kids. They know how to spend their time. They read books, they watch some episodes
of their favorite series on TV. They draw and they are talented. Don’t ask me to draw anything.

I’m lucky. I’m the CEO of two great companies. Symfony and Blackfire. Remote first companies. All
employees are working remotely, from home. They live everywhere in the world. I’m proud of them.
They are confined like everyone else. Some have kids at home. Some are anxious. We are all reading
the news, trying to understand what’s going on; trying to imagine the impact of this “tornado”.
We are also trying to keep working. As “usual”. Let’s be honest, maybe less than usual.
That’s fine.
The business is impacted. Some customers have already canceled their subscription. Very little
new customers this week. That makes sense.
At Symfony, we’re canceling or postponing all our worldwide conferences. At Blackfire,
our marketing is mostly about sponsoring conferences. All our eggs in the same basket. How ironic.
Everyone is on board to imagine our future. We have many ideas to reinvent ourselves. I’m blessed.

I’m lucky. I’m young-ish and I’m in good health. I want to help but I’m not a doctor. I’m trying to support my
family and my employees the best I can. There is blood shortage in France, and in some other countries.
I will donate my blood next week.

This is the week-end. I won’t go outside. I will probably read fiction books and code. I will cook for sure. As usual.
But I will also take some time to dream. For a change. Or perhaps thinking about what’s next.

Be strong, stay safe.

As we all manage work during the COVID-19 outbreak, we want you to know that Zend by Perforce is here to help you keep business running.

Our global teams will continue to work remotely to provide all your services, including mission-critical support.

Between tasks I spend a fair time on Stack Overflow, which is (truth be told)
a love/hate relationship.

There’s a few recurring questions that I feel deserve a longer explanation.
Last time, I wrote about how to use MySQL in Node.js, but today I wanted
to write about the fetch no-cors setting.

What is CORS?

Browsers have a ‘sandbox’. This sandbox prevents a script on some domain to do
things on other domains.

For example, if a script runs on domain1.example.com, it is not allowed to do
a PUT request on domain2.example.org. It also can’t embed an <iframe>
from domain2 and read its contents.

A script making a request to a different domain is very useful though, so
workarounds were invented. Examples are server-side proxy scripts, using Flash
and passing messages via iframe urls (and later on postMessage).

But then CORS came along, which offered a better solution. CORS allows
domain2 to say: “domain1 is allowed to make requests”.

The browser sandbox is not specific to exactly the domain. It’s actually the
combination of the scheme (http or https), the domain and the port. Those
3 parts combined are called the “origin”.

So, this is the first popular misconception: CORS does not add security, it
selectively removes it. CORS is strictly opt-in, so if an origin does not have
support for CORS headers, the old behavior stays in effect.

What is no-cors?

If you’re trying to fetch() to another origin, and this origin does not
opt into CORS, your request will return a network error and some messaging
in the console.

If you don’t control the API you are calling, you might be looking for
alternative solutions, and you might run into no-cors:

const result = await fetch('https://domain2.example.org', { method: 'POST', mode: 'no-cors', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify({ foo: 'bar' }),
});

If you see the no-cors setting, you might think that you are simply turning
off the CORS check, and when trying no-cors it the first thing you might
notice is that the request now actually shows up on your network tab!

However, you will quickly run into new problems. no-cors doesn’t just turn
off the check. It has greater consequences that make the request ‘safe’.

These are the main effects:

• Any request header except: Accept,